Juniper Confirms Leaked Implants Target Its Products

Juniper Networks has analyzed the implants leaked by Shadow Brokers and while it has confirmed that some of them target its products, the company has not found any evidence that they exploit a vulnerability.

Shadow Brokers has released roughly 300Mb of firewall exploits, implants and tools allegedly stolen from the Equation Group, a threat actor believed to be linked to the U.S. National Security Agency (NSA). The group also claims to possess additional information, which it’s offering to sell for 1 million Bitcoin (roughly $575 million).

Kaspersky Lab and others have confirmed that the files appear to be legitimate, but pointed out that they date back to 2010-2013. Previously unpublished documents released by former NSA contractor Edward Snowden also show that the code is genuine.

Fortinet, Cisco and WatchGuard have analyzed the leaked implants and exploits. While more recent products from Fortinet and WatchGuard don’t appear to be impacted, Cisco has admitted finding a zero-day vulnerability (CVE-2016-6366) that affects its ASA and PIX firewalls.

Juniper Networks has also analyzed the leaked files and it has confirmed that some of the implants target its Netscreen firewalls running ScreenOS. The company’s investigation is ongoing, but an initial analysis indicates that the implants target the device’s bootloader and they don’t exploit a vulnerability in ScreenOS.

After the world learned in December 2013 about the tools used by the NSA, Juniper said it investigated thousands of systems, but it had not found any evidence of a compromise. The network security firm did report identifying a couple of serious vulnerabilities last year that could have been exploited to gain administrative access to some firewalls and decrypt VPN traffic.

BENIGNCERTAIN tool targets Cisco PIX devices

Cisco confirmed last week that two of the exploits leaked by Shadow Brokers, dubbed EXTRABACON and EPICBANANA, and one implant, dubbed JETPLOW, targeted its ASA and PIX firewalls.

Researcher Mustafa Al-Bassam also determined that BENIGNCERTAIN, one of the tools leaked by the hackers, also affects Cisco PIX devices and it can be exploited to extract VPN private keys.

While Cisco PIX has not been supported since 2009, the product is still used by many organizations worldwide.

“Our investigation so far has not identified any new vulnerabilities in current products related to the exploit. Even though the Cisco PIX is not supported and has not been supported since 2009, out of concern for customers who are still using PIX we have investigated this issue and found PIX versions 6.x and prior are affected. PIX versions 7.0 and later are confirmed to be unaffected by BENIGNCERTAIN,” Cisco said in an update to its initial advisory.

Who is behind the Shadow Brokers leak?

While some experts have suggested that Russia is behind the Shadow Brokers leak, evidence also points to the possible involvement of an insider.

A former NSA employee told Motherboard that the names of the leaked files indicated that they were internally accessible files and they should not have been available on a server that could be accessed from outside the agency.

U.S. journalist James Bamford also believes that Edward Snowden might not be the only NSA leaker and that there could be another insider providing information to activists and WikiLeaks.

In the meantime, a hacker using the online moniker “1x0123” also claimed to have hacked the Equation Group, but he has not provided any strong evidence to back his claims.

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.